Rogue One — the best cybersecurity videotraining

Ten mistakes that led to the destruction of the Death Star.

Last year we analyzed an incident depicted in Star Wars: Episode IV. However, we got the feeling even back then that the security failures that led to the destruction of the Death Star were only the tip of the iceberg. The Empire’s problems with information systems security are clearly of a more galactic nature. Fortunately, researchers from Lucasfilm conducted a thorough investigation of the events preceding this incident and published it under the name Rogue One: A Star Wars Story. Here’s what this video document revealed.

Security begins with HR

Rogue One begins with the Imperial Military’s head of innovative projects, Orson Krennic, and a team of HR specialists headhunting top developer Galen Erso to work on the Death Star superweapon project. What do we know about Erso? First, he previously worked on the project before tendering his resignation. Second, he’s in no hurry to return. But Imperial HR makes him an offer that he can’t refuse, and back he goes. Later, it hits Krennic that Erso was an industrial spy, the source of the leaked plans.

Such an employee should never have been allowed to work with sensitive information — or hired at all — something the HR team should have picked up on at the recruitment stage. But they failed to identify the risks. Some timely security awareness training would have helped them spot the red flags during the screening process.

Andrey Nikishin, Special Projects Director, Future Technologies, Kaspersky Lab
If you think the above situation is contrived, you are sorely mistaken. The human factor and inadequate cybersecurity training are the cause of most incidents at industrial facilities.

Top-secret lab on Eadu

Galen Erso is taken to a kyber crystal processing plant on the planet Eadu. This is essentially a Gulag-style “experimental design bureau,” where he is coerced into working on a top-secret military project. As we said, entrusting him with a secret project is stupid. But having him work there with no supervision is doubly stupid. Erso implants a vulnerability in the Death Star.

In complex projects, especially when designing critical infrastructure objects, it is vital to perform additional analysis of the project for implants before its construction begins. All the more so with such a suspicious and disgruntled employee on the team.

Andrey Nikishin, Special Projects Director, Future Technologies, Kaspersky Lab
I’m 100% sure that our modern methods for developing secure software were known to the Imperial developers. So why didn’t they apply them? Probably for the same reason some industrial software developers today don’t either — their focus is elsewhere. The Death Star is a prime example of what can happen as a consequence.

The lack of a security assessment is nothing new. But the idea that Erso, deprived of contact with the outside world, can still communicate with Imperial pilots — to the extent that he actually recruits one of them — is pushing it too far.

As a result, he basically:

  1. Reveals to the Rebels the existence of the Death Star.
  2. Informs them of the vulnerability.
  3. Gives away the location of the blueprints on the planet Scarif.

The Scarif vault

This high-security data vault was in fact designed much better than most other Imperial facilities. First, Scarif is surrounded by a force field through which no physical object can pass (and which also serves as a firewall). It has only one entry point, which is controlled from the center. The data is stored on offline hard drives (a high-quality air gap) protected with a biometric lock. The transmission antenna is also cut off from the network — physical access is required to activate it.

But biometrics is not ideal as an access protection mechanism. In this case, it is bypassed by simply holding a dead officer’s hand against the scanner. The firewall too is no panacea. It effectively blocks the transfer of large amounts of data, but it can be circumvented by strengthening the signal of the Rebels’ transmitter using internal communication systems. Besides, connecting the ship to the system is just a matter of attaching a few cables and turning a lever. No authentication system at all! This allows the Rebels to launch a powerful DDoS attack on the firewall from orbit.

Most devastatingly of all, the much-vaunted transmission antenna is not protected in the slightest. Insert a disk and hey presto! Were they really so sure of the firewall’s impenetrability?

Andrey Nikishin, Special Projects Director, Future Technologies, Kaspersky Lab
This is painfully similar to how cyberdefense at modern industrial facilities is often implemented in reality. Everything seems well conceived until you get down to conducting a security audit and drawing up a threat model, which is when simple attack vectors start popping up. And attacks in our world might not be limited to data leakage — the consequences could be far more fatal.

Internet of Things

The catastrophic situation surrounding IoT security warrants special mention. The Rebels use a reprogrammed K-2SO droid. This isn’t some kind of astromech or interpreter. K-2SO is a strategic analyst. And judging by its behavior, it is hacked good and proper. Everything there is to know about Imperial protocols is stored in that droid’s memory. But what sort of operating system allows its device to be reprogrammed? And why does the Imperial system still think that K-2SO is friendly and authorize its communication with computers at all? How can the Empire not know that this droid has gone rogue? After all, it’s a piece of critical infrastructure.

As a result of lax Imperial security, K-2SO is able to quietly retrieve data from other droids, connect to the Imperial Archive in search of information, and take control of the station’s defense mechanisms.

Imperial High Command

The information security decisions made by the Imperial commanders should be analyzed separately. There are plenty to choose from.

Grand Moff Tarkin

Tarkin adopts heavy-handed tactics in the fight against information leaks. Basically, he destroys entire cities along with any leaks discovered. His first such order is to annihilate the holy city on the planet Jedha on learning from agents about a defector who knows about the construction of the Death Star. The second time is against the Imperial Archive on Scarif when news arrives that it is under Rebel attack.

But annihilation is a rather ineffective measure, comparable to reinstalling an infected system. A far better strategy on discovering the leak would have been to conduct an urgent in-depth analysis of the incident to find out what data had been stolen and whether the defector could have passed it to the Rebels. And if instead of destroying the Holy City on Jedha the Empire had intercepted the relevant message, it would have learned about the vulnerability.

Orson Krennic

Aside from his idiotic obsession with bringing Galen Erso back onboard the secret project, Krennic’s decisions are quite rational. For one thing, he tries to conduct an investigation: On arriving at the base on Scarif, he demands that all messages ever sent by Galen Erso be analyzed. Although somewhat belated, such actions could have led to finding the vulnerability.

Remember too that it’s Krennic’s bright idea to shut down the base and shield during the Rebel attack, switching the firewall to full ban mode.

Andrey Nikishin, Special Projects Director, Future Technologies, Kaspersky Lab
In my view, Rogue One is perhaps the best film from the new chapter of the saga. What’s more, it provides material for cybersecurity training for industrial facilities and critical infrastructure. Anyone who works in the field of cybersecurity should watch it, even those who aren’t fans of Star Wars. It’s essentially a training manual for the course “How not to protect critical information infrastructure.”
Tips